Cybersecurity researchers at Fortinet’s FortiGuard Labs have issued a warning about an active MaaS (malware-as-a-service) operation distributing a dangerous data-stealing malware called Stealit.
This malicious program is designed to take over a victim’s computer and steal private information. The campaign is current, actively targeting Microsoft Windows users across all organisations, and has been classified with a Medium severity level.
A New Way to Hide
The advanced tactics employed by the Stealit campaign show the malware is now using a highly deceptive new method to bypass security measures.
FortiGuard Labs’ investigation revealed that the campaign is leveraging a feature in the Node.js development platform called Single Executable Application (SEA). This is a crucial detail, as older versions of the malware used a different tool named Electron. The purpose of this change is to make the malware harder to spot and block.
The new SEA approach packs all the necessary malicious files into one simple program. This means the program can run even on a computer that does not have the Node.js software installed. The researchers explained that this allows the malware to run “without requiring a pre-installed Node.js runtime or additional dependencies.”
Threat actors are likely taking advantage of the SEA feature’s novelty, hoping to catch security programs and analysts off guard. The malware is further protected by heavy code obfuscation and numerous anti-analysis checks designed to detect and terminate execution if it detects a debugger, a virtual environment, or suspicious processes.
A Professional Cybercrime Service
Stealit operators are running this as a full commercial service, advertising “professional data extraction solutions” through various subscription plans. They have relocated their Command-and-Control (C2) server multiple times, switching from the domain stealituptaded.lol to iloveanimals.shop. Moreover, they offer clear pricing for lifetime access: around $500 for the Windows version and $2,000 for the Android version.
The malware’s USP is its extensive list of remote access capabilities, including:
- Live screen monitoring and webcam control
- Remote system management (shutdown/restart)
- The ability to push fake alert messages to the victim.
What’s At Risk
According to FortiGuard Labs’ blog post shared with Hackread.com ahead of publishing on Friday, Stealit operators are distributing the malware by hiding it as installers for popular games and VPN applications. They upload these files (packaged in common compressed archives or as PyInstaller) to file-sharing sites such as Mediafire and Discord.
When successfully installed, the malicious program extracts a wide range of information, including sensitive data like login credentials and cryptocurrency wallets from various applications, which can then be used in future attacks.
The researchers noted that the malware’s authors quickly shift tactics, sometimes reverting to the older Electron framework for payload delivery to keep security teams guessing.
This campaign highlights how quickly threat actors adapt by weaponising legitimate software features, like Node.js SEA, to remain undetected. With the malware being distributed via lures like games and VPNs, users must exercise extreme caution with software downloads from unofficial sources.
“This is great research tracking the evolution of a focused campaign,“ said Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, a San Francisco, Calif.-based leader in crowdsourced cybersecurity.
“The targeted user population is what’s most interesting to me – gamers generally have high-performance hardware, and are accustomed to running all kinds of random software in support of their gaming, and the gaming ecosystem is a mess of binaries and network connections BEFORE you start adding in helpers, performance mods, and cheating resources,” Ford explained.
Ford warned that when IT professionals use the same devices or networks for both gaming and work, it creates a vulnerable environment that attackers could exploit for coordinated cyber operations.
“There is a large population of privileged IT workers that are avid gamers (many moved into IT thanks to a passion for gaming) – meaning hardware used for work and play, lateral network access to their laptop, and extortionary material on those users are all levers to be used for coordinated adversarial development.“
